Firewall doesn't work

soulreaver1 · February 17, 2018, 9:15am

Hello,

I have a Mikrotik Router with configuration I don’t understand.

There is a first WAN IP which is netmapped to local network.

 1    ;;; WAN
      chain=srcnat action=netmap to-addresses=xxx.241.19.250 
      src-address=192.168.16.0/24 out-interface=ether13_Netia_WAN log=no 
      log-prefix=""

There are some dstnat rules on specific ports to allow external hosts connect though WAN xxx.241.19.250 and this works as expected (when there is no accept on firewall connections don’t go through NAT rules). However there is also dstnat rule for WAN xxx.241.19.251 which is not allowed on the firewall but works anyway!

15    ;;; service - HTTP
      chain=dstnat action=dst-nat to-addresses=192.168.16.20 to-ports=80 
      protocol=tcp dst-address=xxx.241.19.251 dst-port=80 log=no log-prefix=""

I checked that xxx.241.19.251 is not masquaraded to 192.168.16.0/24 or netmapped to 192.168.16.20 so maybe the firewall in Mikrotik OS works only for masquaraded or netmapped IPs?

Sob · February 17, 2018, 10:13am

Firewall filter works for anything passing through router. It’s impossible to tell what’s happening with yours, if we don’t see it. Remember that it allows everything by default, there can also be the magic rule with connection-nat-state=dstnat to allow all forwarded ports at once, and order of rules is very important.

soulreaver1 · February 18, 2018, 8:30am

Thank you, I’ve found the reason. The forward chain on this device was not closed (like I do on devices which I configure).

  ;;; drop all on WANs
      chain=forward action=drop connection-state="" in-interface-list=WANs 
      log=no log-prefix=""